NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Domain Controller v

Transcription

1 NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Domain Controller v : WIN-0DQG5HQ18AD On WIN-0DQG5HQ18AD - By admin for time period 9/20/ :31:02 PM to 9/20/ :31:02 PM NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Domain Controller v Total score: % 127 out of 229 rules passed 0 out of 229 rules did not pass completely 102 out of 229 rules failed This report was designed for auditing compliance with the CIS Microsoft Windows Server 2008 R2 Benchmark v (Level 1 Domain Controller profile)] Items in this profile apply to Domain Controllers and intend to: be practical and prudent; provide a clear security benefit; and not inhibit the utility of the technology beyond acceptable means. Windows Settings Security Settings-System Services Rules Set 'Windows Update' to 'Automatic' Description: Enables the detection, download, and installation ofupdates for Windows and other programs. If this service is disabled, users ofthis computer will not be able to use Windows Update or its automatic updatingfeature, and programs will not be able to use the Windows Update Agent (WUA)API. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 1

2 Set 'Windows Event Log' to 'Automatic' Description: This service manages events and event logs. It supportslogging events, querying events, subscribing to events, archiving event logs,and managing event metadata. It can display events in both XML and plain textformat. Stopping this service may compromise security and reliability of thesystem. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Base Filtering Engine' to 'Automatic' Description: The Base Filtering Engine (BFE) is a service thatmanages firewall and Internet Protocol security (IPsec) policies and implementsuser mode filtering. Stopping or disabling the BFE service will significantlyreduce the security of the system. It will also result in unpredictablebehavior in IPsec management and firewall applications. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 2

3 Set 'Plug and Play' to 'Automatic' Description: Enables a computer to recognize and adapt to hardwarechanges with little or no user input. Stopping or disabling this service willresult in system instability. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'TCP/IP NetBIOS Helper' to 'Automatic' Description: Provides support for the NetBIOS over TCP/IP (NetBT)service and NetBIOS name resolution for clients on the network, thereforeenabling users to share files, print, and log on to the network. If thisservice is stopped, these functions might be unavailable. If this service isdisabled, any services that explicitly depend on it will fail tostart. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 3

4 Set 'IKE and AuthIP IPsec Keying Modules' to 'Automatic' Description: The IKEEXT service hosts the Internet Key Exchange(IKE) and Authenticated Internet Protocol (AuthIP) keying modules. These keyingmodules are used for authentication and key exchange in Internet Protocolsecurity (IPsec). Stopping or disabling the IKEEXT service will disable IKE andauthip key exchange with peer computers. IPsec is typically configured to useike or AuthIP; therefore, stopping or disabling the IKEEXT service might resultin an IPsec failure and might compromise the security of the system. It isstrongly recommended that you have the IKEEXT service running. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Security Accounts Manager' to 'Automatic' Description: The startup of this service signals other services thatthe Security Accounts Manager (SAM) is ready to accept requests. Disabling thisservice will prevent other services in the system from being notified when thesam is ready, which may in turn cause those services to fail to startcorrectly. This service should not be disabled. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 4

5 Set 'Power' to 'Automatic' Description: Enables a computer to recognize and adapt to hardwarechanges with little or no user input. Stopping or disabling this service willresult in system instability. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Network List Service' to 'Automatic' Description: Identifies the networks to which the computer hasconnected, collects and stores properties for these networks, and notifiesapplications when these properties change. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Fail: Set 'Network List Service' to 'Automatic' :.'3'. Remediation: To implement the recommended configuration state, set the following Group Policy setting to 2. Computer Configuration\Windows Settings\Security Settings\System Services\Network List ServiceImpact:If some services (such as the Security Accounts Manager) are disabled, you will not be able to restart the computer. If other critical services are disabled, the computer may not be able to authenticate with domain controllers. If you wish to disable some system services, you should test the changed settings on non-production computers before you change them in a production environment. It is also possible to alter the access control list (ACL) for a service, however do so with caution because unexpected results may arise. For example, changing the default permissions may cause enterprise management software to lose the ability to query the state of that service. 9/24/ :53:23 AM 5

6 Set 'Microsoft Fibre Channel Platform Registration Service' to 'Automatic' Description: Registers the platform with all available Fibre Channelfabrics, and maintains the registrations. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Fail: Set 'Microsoft Fibre Channel Platform Registration Service' to 'Automatic' :.'3'. Remediation: To implement the recommended configuration state, set the following Group Policy setting to 2. Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Fibre Channel Platform Registration ServiceImpact:If some services (such as the Security Accounts Manager) are disabled, you will not be able to restart the computer. If other critical services are disabled, the computer may not be able to authenticate with domain controllers. If you wish to disable some system services, you should test the changed settings on non-production computers before you change them in a production environment. It is also possible to alter the access control list (ACL) for a service, however do so with caution because unexpected results may arise. For example, changing the default permissions may cause enterprise management software to lose the ability to query the state of that service Set 'Software Protection' to 'Automatic' Description: Enables the download, installation and enforcement ofdigital licenses for Windows and Windows applications. If the service isdisabled, the operating system and licensed applications may run in a reducedfunction mode. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 6

7 Set 'Network Store Interface Service' to 'Automatic' Description: This service delivers network notifications (e.g.interface addition/deleting etc) to user mode clients. Stopping this servicewill cause loss of network connectivity. If this service is disabled, any otherservices that explicitly depend on this service will fail tostart. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Windows Firewall' to 'Automatic' Description: Windows Firewall helps protect your computer bypreventing unauthorized users from gaining access to your computer through theinternet or a network. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 7

8 Set 'COM+ Event System' to 'Automatic' Description: Supports System Event Notification Service (SENS),which provides automatic distribution of events to subscribing Component ObjectModel (COM) components. If the service is stopped, SENS will close and will notbe able to provide logon and logoff notifications. If this service is disabled,any services that explicitly depend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Remote Procedure Call (RPC)' to 'Automatic' Description: Serves as the endpoint mapper and COM Service ControlManager. If this service is stopped or disabled, programs using COM or RemoteProcedure Call (RPC) services will not function properly. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 8

9 Set 'DCOM Server Process Launcher' to 'Automatic' Description: Provides launch functionality for DCOMservices. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'User Profile Service' to 'Automatic' Description: This service is responsible for loading and unloadinguser profiles. If this service is stopped or disabled, users will no longer beable to successfully logon or logoff, applications may have problems getting tousers' data, and components registered to receive profile event notificationswill not receive them. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Shell Hardware Detection' to 'Automatic' Description: Provides notifications for AutoPlay hardwareevents. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 9

10 Set 'Windows Management Instrumentation' to 'Automatic' Description: Provides a common interface and object model to accessmanagement information about operating system, devices, applications andservices. If this service is stopped, most Windows-based software will notfunction properly. If this service is disabled, any services that explicitlydepend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Group Policy Client' to 'Automatic' Description: The service is responsible for applying settingsconfigured by administrators for the computer and users through the GroupPolicy component. If the service is stopped or disabled, the settings will notbe applied and applications and components will not be manageable through GroupPolicy. Any components or applications that depend on the Group Policycomponent might not be functional if the service is stopped ordisabled. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 10

11 Set 'IP Helper' to 'Automatic' Description: Provides automatic IPv6 connectivity over an IPv4network. If this service is stopped, the machine will only have IPv6connectivity if it is connected to a native IPv6 network. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Cryptographic Services' to 'Automatic' Description: Provides four management services: Catalog DatabaseService, which confirms the signatures of Windows files and allows new programsto be installed; Protected Root Service, which adds and removes Trusted RootCertification Authority certificates from this computer; Automatic RootCertificate Update Service, which retrieves root certificates from WindowsUpdate and enable scenarios such as SSL; and Key Service, which helps enrollthis computer for certificates. If this service is stopped, these managementservices will not function properly. If this service is disabled, any servicesthat explicitly depend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 11

12 Set 'Remote Registry' to 'Automatic' Description: Enables remote users to modify registry settings onthis computer. If this service is stopped, the registry can be modified only byusers on this computer. If this service is disabled, any services thatexplicitly depend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Workstation' to 'Automatic' Description: Creates and maintains client network connections toremote servers using the SMB protocol. If this service is stopped, theseconnections will be unavailable. If this service is disabled, any services thatexplicitly depend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 12

13 Set 'DFS Replication' to 'Automatic' Description: Enables you to synchronize folders on multiple serversacross local or wide area network (WAN) network connections. This service usesthe Remote Differential Compression (RDC) protocol to update only the portionsof files that have changed since the last replication. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1026 (Check that 'DFS Replication' is configured to 'Automatic') Set 'Windows Time' to 'Automatic' Description: Maintains date and time synchronization on all clientsand servers in the network. If this service is stopped, date and timesynchronization will be unavailable. If this service is disabled, any servicesthat explicitly depend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Fail: Set 'Windows Time' to 'Automatic' :.'3'. Remediation: To implement the recommended configuration state, set the following Group Policy setting to 2. Computer Configuration\Windows Settings\Security Settings\System Services\Windows TimeImpact:If some services (such as the Security Accounts Manager) are disabled, you will not be able to restart the computer. If other critical services are disabled, the computer may not be able to authenticate with domain controllers. If you wish to disable some system services, you should test the changed settings on non-production computers before you change them in a production environment. It is also possible to alter the access control list (ACL) for a service, however do so with caution because unexpected results may arise. For example, changing the default permissions may cause enterprise management software to lose the ability to query the state of that service. 9/24/ :53:23 AM 13

14 Set 'Desktop Window Manager Session Manager' to 'Automatic' Description: Provides Desktop Window Manager startup and maintenanceservices Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Task Scheduler' to 'Automatic' Description: Enables a user to configure and schedule automatedtasks on this computer. If this service is stopped, these tasks will not be runat their scheduled times. If this service is disabled, any services thatexplicitly depend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Network Location Awareness' to 'Automatic' Description: Collects and stores configuration information for thenetwork and notifies programs when this information is modified. If thisservice is stopped, configuration information might be unavailable. If thisservice is disabled, any services that explicitly depend on it will fail tostart. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 14

15 Computer Configuration - Windows Settings - Security Settings - Local Policies Security Options Set 'Network security: Allow Local System to use computer identity for NTLM' to 'Enabled' Description: This policy setting allows Local System servicesthat use Negotiate to use the computer identity when reverting to NTLMauthentication. This policy is supported on at least Windows 7 or WindowsServer 2008 R2. Rationale: When connecting to computers running versions ofwindows earlier than Windows Vista or Windows Server 2008, services runningas Local System and using SPNEGO (Negotiate) that revert to NTLM use thecomputer identity. In Windows 7, if you are connecting to a computer runningwindows Server 2008 or Windows Vista, then a system service uses either thecomputer identity or a NULL session. When connecting with a NULL session, asystem-generated session key is created, which provides no protection butallows applications to sign and encrypt data without errors. When connectingwith the computer identity, both signing and encryption is supported inorder to provide data protection. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1031 (Check that 'Network security: Allow Local System to use computer identity for NTLM' is configured to 'Enabled') Check 'Recovery console: Allow floppy copy and access to all drives and all folders' to 'Disabled' Description: This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables:. AllowWildCards. Enables wildcard support for some commands (such as the DEL command).. AllowAllPaths. Allows access to all files and folders on the computer.. AllowRemovableMedia. Allows files to be copied to removable media, such as a floppy disk.. NoCopyPrompt. Does not prompt when overwriting an existing file. Rationale: An attacker who can cause the system to restart into the Recovery Console could steal sensitive data and leave no audit or access trail. Impact: Users who have started a server through the Recovery Console and logged in with the built-in Administrator account will not be able to copy files and folders to a floppy disk. Pass: Configuration setting defined local security policy (0). 9/24/ :53:23 AM 15

16 Set 'Network security: Allow LocalSystem NULL session fallback' to 'Disabled' Description: Allow NTLM to fall back to NULL session when usedwith LocalSystem. The default is TRUE up to Windows Vista and FALSE inwindows 7. Rationale: NULL sessions are less secure because by definitionthey are unauthenticated. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1033 (Check that 'Network security: Allow LocalSystem NULL session fallback' is configured to 'Disabled') Set 'Domain controller: LDAP server signing requirements' to 'Require signing' Description: This policy setting determines whether thelightweight Directory Access Protocol (LDAP) server requires LDAP clients tonegotiate data signing. Rationale: Unsigned network traffic is susceptible toman-in-the-middle attacks. In such attacks, an intruder captures packetsbetween the server and the client, modifies them, and then forwards them tothe client. Where LDAP servers are concerned, an attacker could cause aclient to make decisions that are based on false records from the LDAPdirectory. To lower the risk of such an intrusion in an organization'snetwork, you can implement strong physical security measures to protect thenetwork infrastructure. Also, you could implement Internet Protocol security(ipsec) authentication header mode (AH), which performs mutualauthentication and packet integrity for IP traffic to make all types ofman-in-the-middle attacks extremely difficult. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1035 (Check that 'Domain controller: LDAP server signing requirements' is configured to 'Require signing') Set 'Devices: Allow undock without having to log on' to 'Disabled' Description: This policy setting determines whether a portablecomputer can be undocked if the user does not log on to the system. Enablethis policy setting to eliminate a Logon requirement and allow use of anexternal hardware eject button to undock the computer. If you disable thispolicy setting, a user must log on and have been assigned the Removecomputer from docking station user right to undock thecomputer. Rationale: If this policy setting is enabled, anyone withphysical access to portable computers in docking stations could remove themand possibly tamper with them. Fail: Set 'Devices: Allow undock without having to log on' to 'Disabled' :.'1'. Remediation: To implement the recommended configuration state, set the following Group Policy setting to 0. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allow undock without having to log onimpact:users who have docked their computers will have to log on to the local console before they can undock their computers. For computers that do not have docking stations, this policy setting will have no impact. 9/24/ :53:23 AM 16

17 Set 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' to 'Prompt for consent for non-windows binaries' Description: This policy setting controls the behavior of the elevation prompt for administrators. The options are:. Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.. Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.. Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.. Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.. Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.. Prompt for consent for non-windows binaries: (Default) When an operation for a non-microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. Rationale: One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so. Impact: This policy setting controls the behavior of the elevation prompt for administrators. Pass: Configuration setting defined local security policy (5) Set 'Devices: Allowed to format and eject removable media' to 'Administrators' Description: This policy setting determines who is allowed toformat and eject removable media. You can use this policy setting to preventunauthorized users from removing data on one computer to access it onanother computer on which they have local administratorprivileges. Rationale: Users may be able to move data on removable disks to adifferent computer where they have administrative privileges. The user couldthen take ownership of any file, grant themselves full control, and view ormodify any file. The fact that most removable storage devices will ejectmedia by pressing a mechanical button diminishes the advantage of thispolicy setting. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1038 (Check that 'Devices: Allowed to format and eject removable media' is configured to 'Administrators') 'Network security: LAN Manager authentication level' must be set to 'Send NTLMv2 response only/refuse LM' Description: LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include 9/24/ :53:23 AM 17

18 transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations:. Join a domain. Authenticate between Active Directory forests. Authenticate to down-level domains. Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP). Authenticate to computers that are not in the domain The possible values for the Network security: LAN Manager authentication level setting are:. Send LM and NTLM responses. Send LM and NTLM use NTLMv2 session security if negotiated. Send NTLM responses only. Send NTLMv2 responses only. Send NTLMv2 responses only\refuse LM. Send NTLMv2 responses only\refuse LM and NTLM. Not Defined The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept as follows:. Send LM and NTLM responses. Clients use LM and NTLM authentication and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Send LM and NTLM use NTLMv2 session security if negotiated. Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Send NTLM response only. Clients use NTLM authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Send NTLMv2 response only. Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Send NTLMv2 response only\refuse LM. Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).. Send NTLMv2 response only\refuse LM and NTLM. Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). These settings correspond to the levels discussed in other Microsoft documents as follows:. Level 0 Send LM and NTLM response; never use NTLMv2 session security. Clients use LM and NTLM authentication, and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Level 1 Use NTLMv2 session security if negotiated. Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Level 2 Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Level 3 Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Level 4 Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers refuse LM authentication, that is, they accept NTLM and NTLMv2.. Level 5 Domain controllers refuse LM and NTLM responses (accept only NTLMv2). Clients use NTLMv2 authentication, use and NTLMv2 session security if the server supports it. Domain controllers refuse NTLM and LM authentication (they accept only NTLMv2). Rationale: In Windows Vista, this setting is undefined. However, in Windows 2000, Windows Server 2003, and Windows XP clients are configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default setting on servers allows all clients to authenticate with servers and use their resources. However, this means that LM responses the weakest form of authentication response are sent over the network, and it is potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for earlier clients and servers, Windows-based clients and servers that are members of the domain will use 9/24/ :53:23 AM 18

19 the Kerberos authentication protocol to authenticate with Windows Server 2003 domain controllers. No usable Number data collected for securitypolicy_se_lsa_lmcompatibilitylevel Set 'Domain controller: Refuse machine account password changes' to 'Disabled' Description: This security setting determines whether domaincontrollers will refuse requests from member computers to change computeraccount passwords. By default, member computers change their computeraccount passwords every 30 days. If enabled, the domain controller willrefuse computer account password change requests. If it is enabled, thissetting does not allow a domain controller to accept any changes to acomputer account's password. Default: This policy is not defined, whichmeans that the system treats it as Disabled. Rationale: If you enable this policy setting on all domaincontrollers in a domain, domain members will not be able to change theircomputer account passwords, and those passwords will be more susceptible toattack. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1040 (Check that 'Domain controller: Refuse machine account password changes' is configured to 'Disabled') 'User Account Control: Run all administrators in Admin Approval Mode' must be set to 'Enabled' Description: This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are:. Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.. Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. Rationale: This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system. Pass: Configured Setting is local security policy (1). 9/24/ :53:23 AM 19

20 Set 'Domain controller: Allow server operators to schedule tasks' to 'Disabled' Description: This policy setting determines whether members ofthe Server Operators group are allowed to submit jobs by means of the ATschedule facility. The impact of this policy setting configuration should besmall for most organizations. Users, including those in the Server Operatorsgroup, will still be able to create jobs by means of the Task SchedulerWizard, but those jobs will run in the context of the account with which theuser authenticates when they set up the job. Note: An AT Service Account canbe modified to select a different account rather than the LOCAL SYSTEMaccount. To change the account, open System Tools, click Scheduled Tasks,and then click Accessories folder. Then click AT Service Account on theadvanced menu. Rationale: If you enable this policy setting, jobs that arecreated by server operators by means of the AT service will execute in thecontext of the account that runs that service. By default, that is the localsystem account. If you enable this policy setting, server operators couldperform tasks that SYSTEM is able to do but that they would typically not beable to do, such as add their account to the local Administratorsgroup. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1042 (Check that 'Domain controller: Allow server operators to schedule tasks' is configured to 'Disabled') 'User Account Control: Admin Approval Mode for the Built-in Administrator account' must be set to 'Enabled' Description: This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are:. Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.. Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. Rationale: One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named "Administrator" because that user account was created for all installations of Windows. To address this risk, in Windows Vista the built-in Administrator account is disabled. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways:. If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.. If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows Vista is installed, the built-in Administrator account may be enabled, but we strongly recommend that this account remain disabled. Fail: Configured Setting is local security policy (0) Remediation: To implement the recommended configuration state, set the following Group Policy setting to 1. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account. 9/24/ :53:23 AM 20